A default Asterisk install works, but is pretty insecure, leaving it up to the administrator to decided how to secure it that works for them. Below are some suggestions (and things I have done) to secure Asterisk.

Fail2Ban:

This is a pretty simple implementation, and can be done quickly. I have already setup an email relay on my Asterisk box to email me, so you may need to do that before hand or modify the settings slightly. I really enjoy being able to know by email what bad things are happening.

First, modify Asterisk to spit out errors in a separate log file:

Edit /etc/asterisk/logger.conf and:

– Un-comment the first dateformat line under [general]:

dateformat=%F %T   ; ISO 8601 date format

– Then, modify the messages line near the bottom and add security:

messages => security,notice,warning,error

Restart the Asterisk logger module to make the changes take effect:

sudo asterisk -rx "logger reload"

Now, install fail2ban:

sudo apt-get -y install fail2ban

Add the folowing to the end of /etc/fail2ban/jail.conf:

[asterisk-iptables]
# if more than 4 attempts are made within 6 hours, ban for 24 hours
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
              sendmail[name=ASTERISK, dest=dest@email.here, sender=fail2ban@address.here]
logpath  = /var/log/asterisk/security
maxretry = 4
findtime = 21600
bantime = 86400

Then, move the existing asterisk.conf in filter.d to a backup in the directory below (or wherever else you would like):

cd /etc/fail2ban/filter.d
sudo mv asterisk.conf ../asterisk.conf.orig

Create a new asterisk.conf in filter.d and add the following:

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Restart fail2ban:

sudo service fail2ban restart

SIP On Asterisk:

Edit sip.conf and add the following under [general]:

allowguest=no
alwaysauthreject=yes

Also, change the context line to either an empty context in extensions.conf, or also edit the default extensions.conf and comment out “include => demo” under [public].

Another configuration tip is to not set the extension number as the SIP username.